CVE-2024-13992: 
Nagios XI vulnerability analysis and mitigation

Nagios XI versions prior to 2024R1.1 contain a cross-site scripting (XSS) vulnerability in the "missing page" (404) page component. The vulnerability was discovered by Adam Kues from Assetnote and assigned CVE-2024-13992. The issue affects the page-missing.php component, which fails to properly validate or escape user-supplied input when users visit the 404 page after following a link from another website (VulnCheck Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v4.0 Base Score of 5.1 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N. Under CVSS v3.1, it received a Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (VulnCheck Advisory).

When exploited, this vulnerability allows an attacker to craft a malicious link that, when visited by a victim, executes arbitrary JavaScript in the victim's browser within the Nagios XI domain (VulnCheck Advisory).

The vulnerability has been patched in Nagios XI version 2024R1.1. Users are advised to upgrade to this version or later to address the security issue (Nagios Changelog).